T 3.41 Improper use of remote access services

Unless users receive appropriate training it is possible, as with every other IT system, for security problems to develop as a result of users' (usually unintentional) mistaken actions while using RAS or in the environment in which RAS is used (e.g. violation of IT security guidelines or incorrect configuration).

Moreover, stationary and mobile IT systems on which RAS client software is installed are often used not just to access a LAN. In particular, if the RAS connection is established over the Internet, then often Web and e-mail services are used over these IT systems. In many cases external networks are accessed, for example, when employees working in the field log on to customer networks using mobile RAS clients. This can result in exposure to the threats described below.

• As a minimum, establishment of connections which have not been approved causes unnecessary loading of the system, as an authorisation check has to be performed in every case. In this way, system resources are tied up unnecessarily. When this is combined with incorrect configuration settings, the result may that an attempt at unauthorised access succeeds.

• Amongst other possibilities, RAS clients can be used for Internet access. One potential danger here is that unless special precautions (e.g. secure configuration or PC firewall) are taken, it may be possible to access the client computer from the Internet. This means that the computer is exposed to potential attacks. Thus, for example, an aggressor could disable data encryption or change other RAS configuration data so that secure RAS communication is no longer possible. Similar problems (viruses, Trojan horses) can arise where software has been downloaded from the Internet and stored on the RAS client.

• If a RAS client is connected to an external LAN (e.g. customer network or private home network), often there will be interfaces from that LAN to other networks, e.g. the Internet or local subnets. Depending on the security requirements covering LAN administration, uncontrolled access to the RAS client may be possible (see also T 5.39 Infiltrating computer systems via communication cards).

Examples

• During a business trip an employee logs on to the corporate network over the Internet. Before the connection is established with the RAS system, he loads an executable file from a Web server. In addition to its "official" functionality, the file also contains a malicious section of code which attempts to influence the security mechanisms in the RAS configuration (e.g. disabling of encryption) and to access data in the corporate network where an existing RAS connection has been previously discovered.

• An employee working out in the field connects his laptop to the network of a customer. In order to be able to exchange data with the customer, he makes some local directories shared so that they can be accessed from the network. By mistake the file in which the employee has stored his authentication data is also transmitted during the exchange of data.